A

Data weaponization, to me means the act of using data to manipulate, deceive, coerce, or attack someone, or otherwise inflict harm on them.

B

Welcome to another episode of Data Security, decoded by Rubrik zero Labs. I'm your host Caleb Tolan, and in this episode I had the pleasure of sitting down with Pavlina Pavlova and an esteemed cybersecurity expert and policy advisor at institutions like the Cyberpeace Institute and the United Nations. Pavlina's expertise not only covers the technical aspect of cybersecurity, but also the intricate interplay of governance, security, and human rights within cybersecurity. I really enjoyed hearing Pavlina's insights into data weaponization and her ongoing efforts to address challenges facing organizations operating within critical infrastructure. Now, before we dive into the episode, if you're not subscribed to the podcast already, please do subscribe. Leave Leave us a review Leave us a comment all of that type of feedback really helps make sure that we're making this really valuable for you and be sure to subscribe so you don't miss the next episode. Thanks again and let's dive into the episode. Pavlina, thank you so much for spending some time with us. I am really excited to dive into this conversation and really where I'd love to start is I know a lot of your research focuses on data weaponization and its disproportionate impacts on vulnerable populations. To start, can you define what data weaponization is?

A

First of all, thank you for having me on this podcast. It's a great pleasure to share about my research, so thank you for inviting me. And yeah, let's start with data weaponization. As I define it in my research, and I will speak about why it was important to take this very broad definition is that data weaponization to me means the act of using data to manipulate, deceive, coerce or attack someone or otherwise inflict harm on them. And this includes very many offenses in cyberspace such as data breaches and unauthorized access, but also authorized access. The authorization may be granted knowingly or under false pretenses, such as through social engineering techniques or other forms of manipulation. And additionally, data can be also extracted by coercing and intimidating the targets. And this includes, for example, non consensual sharing of intimate images. So you have a crime which deeply affects women and the photos can be shared at some moment but then disseminated non consensually. And this is also covered in the new UN Cybercrime Convention. And this includes also deep fakes so pictures which are available online or fed and publicly and fed into those AI image generators, but with impacts which are harmful to the targets. And it's important to have this broad definition because it can then capture the harms to women and men in distinct ways. And the key question for my research when I was compiling the report for New America was why the nature of an attack or its impact is gendered. So just because it happens to a woman, it doesn't make it gendered. But if a woman and a man with similar attack have different consequences, that makes the consequence gender. So the key question is why, if I'm a woman or a man or gender or sexual minority, it matters in the digital realm.

B

Thank you for that context. That's really helpful to kind of orient us in the conversation. And a sentiment that you shared with me that stood out as we were preparing for this conversation was attacks aren't getting more sophisticated, they're getting more vicious. And I thought a really real example of how that is manifesting is how data is being weaponized to target critical infrastructure like energy, education, and transportation, to which your research, you know, really dives into those specific areas. How are these attacks affecting the populations that you've studied, and what are the critical challenges that this poses for national security?

A

So I focus a lot on health care. In my research, what we see is that ransomware attacks against the health care infrastructure and attacks against including sexual and reproductive health facilities and services are growing. And what is surprising is still that while cybercriminal gangs are getting more organized, for example, like in ransomware as a service, at the same time, we see that how these systems get breached is not because of some tremendous innovation, but because of phishing attacks, because of missing multifactor authentication to secure the access, or delayed patching. So these are quite basic cybersecurity measures. And I focus on healthcare to demonstrate the consequences of cyber attacks, because healthcare is essential. Service and provision of healthcare is extremely urgent. So any disruption is felt immediately and very directly. Something that, for example, when we have attacks against the public services and administration can take longer time or have, like, lower consequences throughout a prolonged time. But with healthcare, it's pretty much immediate. We see cancellations of medical appointments, cancellation of surgeries, diverted ambulances, cancellations of blood donations, and staff is more prone to mistakes. For example, there have been cases during the cyber attacks that, for example, nurses and doctors were giving wrong medication, or almost like on the verge of giving wrong medications and harming the patients because they lost access to data. It was interrupted with the cyber attack and certain groups will feel disproportionate consequences of these attacks. For example, women, because they are caregivers and they will be caring for sick and for elderly and for young, they will feel more consequences if these services are interrupted. And also women are reliant on these services more because, for example, their sexual and reproductive health. So if they are giving birth, there have been research, not particularly on cyber attacks, but on other critical disruptions in healthcare services, showing that women are disproportionately impacted and they face birth complications if there is any disruption in energy or healthcare. And women also have very sensitive data, personal, for example, I mentioned previously, sexual and reproductive health. So when it comes to the abortion data or sexual health data, these data can be extremely stigmatized. So they are not the only group who is disproportionately impacted, but they are one of the key big groups in the society which suffers because of these attacks overwhelmingly and still is not accounted for sufficiently. When we speak about cybersecurity measures and data protection measures. And you mentioned that these attacks are getting more vicious. And I looked into it and why is it happening? And I believe that two main reasons for that. And the first is that organizations are, first of all, they're betting in having backups, right? So the cyber criminals also develop their tactics with having double and triple extortion in place. And this is way more common in the past years than it was before. But also very important political dimension to that. Cybercriminals are successful. And cybercrime is growing because they are provided sanctioned jurisdictions. So it means that certain counties are harboring cybercriminals and they know about their activities and they are not helping in international corporations to bring accountability for those crimes. And without those, it would be very hard for cyber criminals to operate on the level that they do right now. Would be way easier for accountability measures and way easier for law enforcement to have joint corporations and to take down the cybercriminal gangs. And that also means that as they are harbored by certain governments, they also align with their foreign policy, so they know that they cannot cause trouble to the country, because otherwise they would just crack down on them and they kind of understand what is the line that they need to follow. And now comes the attacks on healthcare or other parts of critical infrastructure. On one hand, we see preeminently financial motivation, but on the other, we also see that disrupting well being and public health and social resilience benefits the adversary nations and benefits governments which harbor cybercriminals. So we see These rising trends of attacks that have both financial motivation and like disrupting societal resilience, inflicting harm on.

B

Populations, motivation that's very specific to healthcare too. And I think there were some really interesting and powerful stories that you shared too about some other critical infrastructure related industries like transportation specifically. I remember an example from your paper about how oftentimes women are one of the groups that rely so much on public transportation as caretakers. Oftentimes, like you mentioned previously, do you see how these attacks targeting other forms of critical infrastructure, like I mentioned with education or transportation or energy, is the approach different from the attackers or is the outcome different? What's the discrepancy between those types of industries and health care?

A

It's a very interesting question and we definitely, what we need is more data to compare. Also knowing the motivation and knowing the impact, definitely we see that disruption of critical services is about also disrupting societal resilience and just like impacting the population. So I, I would say like in that realm it has similar logic but at the same time not to forget about the data which is being extracted. So I would, in that sense I would compare for example healthcare data which is one of the most sensitive to some cases of attacks and ransomware attacks against education facilities. So there would be some extremely sensitive records of students taken and then used in ransomware to demand the payments. Otherwise the attackers were trying to publish those. And it's also important that with these attacks, while we don't see the, the data being published at a large scale now, there have been many, very many cases of this data being published and leveraged and said that, but they are already, even if they are not published, the threatening for publishing those data is a very common practice. At the same time it increases, even if the data in the end would not be published, it increases the perception of threat and of risk. So it has this very negative impact on the populations and also on the targets of those ransomware diseases, demands and kind of made them more prone to pay the ransom, but also more prone to be generally scared about the situation and the potential of them being impacted.

B

That sentiment of attacks not being more sophisticated but more vicious attacks definitely seem to be quite vicious when targeting critical infrastructure because the impact is really, really human. It's tied to our day to day lives. And I think that is a big critical area that I know many organizations are trying to address right now. And that kind of is a, is a really good transition into the next question I had for you, which is you noted in some of your research that Current policy and frameworks that exist right now don't adequately address gender dimensions of data weaponization. And I know you've done work with the European Parliament Cyberpeace Institute. We were just talking about how you're doing some work with the United nations as well to address issues like these. What needs to happen from a data privacy public policy perspective to protect sensitive data from weaponization? Is there any possibility for a global or large scale regional policy? Or are we looking at something more country by country based?

A

One gap that I see persistently across countries, across different levels, whether it's international, national, is understanding and acknowledging the impacts. And unfortunately because the situation is worsening, we'll have to eventually acknowledge the impacts and also how they are connected to national security and just like well being of the populations. So I would start with the harms, we need to make them more understandable to support the recognition and development of solutions. The public is very much still unaware that we have such exposure to accidents and adversaries currently. And one comparison that I for this by very much saying is that we live in a glass house and people are about to start throwing rocks. Because if there is a war, and we've seen this with the recent accusations of prepositioning of the Chinese actors in, in the US critical infrastructure, it will be a hybrid conflict. The Odyssey in Ukraine it is a hybrid conflict. How much of the cyber dimension is playing part in the strategies is still a question. But we see it's an important part of the strategy to undermine the resilience of a fighting nation. And many of our adversaries have demonstrated that they are both willing and able to disrupt critical infrastructure. So we need to get these impacts and motivations into the mainstream discussions to understand how they are connected. For example, when we speak about how national security is connected to the fact that cyber communal gangs are publishing abortion data, it sounds, when you hear it first, it may sound like far fetched, like why does this very individual impacts connect to the level of national security? But in a hybrid conflict they do, because in a hybrid conflict you use whatever means you have and you have more and more means to use against the populations to undermine them. So this is the reality of today's conflict, but also of today's peace situation, because we see that countries are attacked relentlessly, whether they are in war or in peace through cyber means. But we are also seeing on the other hand, what is positive on this side. We are seeing more recognition for concepts such as privacy by design and security by design, which are pushed forward both in the US and in the EU and defence context. And they received also very much international action. We see a lot of international cooperation, coalition of willing countries. And these are very important because cybercrime and ransomware, which is key threat, are international. So we need international networks and joint operations which can take these gangs and disorganized groups down. And at the same time we see stronger coalitions of ruling counties over the years, such as for example International Counter Ransomware Initiative, which was hailed as a great success by many countries. And we see also coalitions of willing countries together sanctioning cybercriminals and sanctioning those who are also behind state supported attacks. So more strategic attacks against countries all over the world. And we need to continue in this direction. So we need to cooperate also with the private sector. And a lot positive stuff was done in the past years also with CISA in the US and in Europe. So I wish that we had geopolitical situation which is conducive to this, to support and grow these positive changes further to see increased accountability in cyberspace rather than undermining what we have achieved. Going back.

B

Right. The private sector definitely plays a big role in that, that shared responsibility for sure. And you mentioned something about Chinese threat actors pre positioning in American critical infrastructure. That's definitely true, definitely happening. And just for our listeners who aren't already aware, there's a really great podcast out from Rubrik, hosted by Nicole Proroth, bestselling author and former cybersecurity lead reporter at the New York Times, all about China's shift in their cybersecurity strategy or their cyber espionage strategy from stealing IP to now pre positioning in US critical infrastructure to prepare for a potential attack in the future. So if you haven't already listened to that, definitely recommend it. It's a really fascinating story and a lot of interesting and important perspectives are shared there. But kind of back to the topic at hand too. So if we do have either some form of more, you know, global or multinational agreement to figure out how we address these issues, what can organizations, particularly organizations who don't have a ton of funding, do to prepare for these types of attacks? Let's use a rural women's clinic as an example. How could a organization like that, that doesn't have a really massive budget like say someone in the DOD for a non US audience, that's the Department of Defense here in the United States or some massive enterprise company, how can those more under resourced, more underfunded organizations meet the new standards of these types of agreements or just improve their overall resilience.

A

It's obviously very difficult for small and under resourced organizations or cyber poor organizations to keep them protected. But at the same time I think especially operating with data, to be responsible with how you collect data in the first place. What I've seen a lot in the research is that that was the case of like femte and dating apps, etc, but not necessarily all those NGOs. But the lesson is universal, that we see a lot of data and a lot of private data, a lot of sensitive data being and health data being collected just because it's believed that you need those data or that you can commercialize those data and set that once you have this data in the pipeline, it's very difficult to protect them responsibly. So just like first of all, the collection of any data that you process must be responsible and must be minimized to what you really need to deliver the service. But there's also a lot of free help available to organizations. There are cyber security volunteers, there are programs that I've been working with who offer this help specifically for NGOs because we know that different kinds of organizations, whether based on their size or subject matter, will have different needs. It's not like you are there alone by yourself. There are programs which are not only offering ready made packages for you, but actually helping you to fine tune your cybersecurity protection for the organization. And there's also finally a lot of toolkits to be used, a lot of helplines currently available. So what I find a bigger issue with those organizations is now that there wasn't enough of resources available, but because the resources inside of the organizations are strained on delivering help or delivering care, delivering services, and also attracting funding. What we see that especially with small organizations, once they attract any funding, the funding is very rarely marked for cybersecurity protection. So you give a grant to organization to deliver services, you don't e mark it for also protecting those services from like cybersecurity perspective. And that's something also need to change from the donors. They're giving more flexibility to the organizations to actually protect themselves in cyberspace. Because one big trend that we are seeing also with politicized attacks is that NGOs, think tanks, and on the first look, very unrelated organizations with national security are being attacked because they are being leveraged for whether getting data in the pipeline for the attackers, but also to get into those like politically important organizations. So we see that once there is hybrid war, just like more attacks deployed against certain nations, also their NGOs also other clinics and such that like get attacked in higher numbers. So it's not a question of whether they will get potentially attacked, it's a question of when. And they need to be prepared for that. But as under resource organization, I understand they find it very hard to even have a person for that or having any time of any experts devoted to that. So it's also about organizations to start thinking differently about cybersecurity. And it's definitely not only problem of this mindset and cyber security mindset is not only problem of small NGOs, but also big organizations. We see it in in hospitals, in healthcare a lot, and in public administration a lot. And these are big and national, often national kind of agencies which do not protect sufficiently.

B

Right? Definitely a big challenge. And you mentioned something about volunteer organizations and things like that for cyber response, and I would be remiss if I didn't give a shout out to one of your colleagues at Michael Razik, who is also a New America Share the Mike and Cyber Fellow. We did an episode with him where we talked about civilian cyber corps. So listeners, if you haven't already checked it out, check out that episode. It's really helpful. Shared a ton of useful resources in that one too. And I know there's also a lot of resources from organizations like CISA that create these frameworks and different resources that organizations who may not have the same amount of funding as a larger enterprise or publicly funded institution may have. They can leverage these resources too. So that is awesome. Thank you Pavlina, so much for joining us. This has been a really valuable session. I know there were a ton of resources shared and thank you for your time and hopefully we can have another discussion again really soon.

A

Thank you for having me.